McAfee is perhaps still best known as a force in anti-virus tools, but the company\u2019s offerings today range from anti-spam to host intrusion prevention.\u00a0 Network World Editor in Chief John Dix recently caught up with McAfee President Gene Hodges for a company update and his view of how security is evolving.NW: Let\u2019s start with your view of security, how it is changing.GH: We see an awful lot more focus on \u201cWhat am I getting for my money?\u201d \u201cHow can I be sure that a security expense is going to help me be safer.\u201d That\u2019s a fair question because a lot of money has been spent but a lot of damage is still being done. It is fairly frustrating to business managers to have these security tools and then hear \u201cYes, but we need to do this other stuff.\u201d\u00a0There is also an important trend towards security being viewed as a critical component of regulatory compliance - everything from Sarbanes-Oxley to data privacy laws in Europe. These don\u2019t necessarily dictate one security strategy or another, but simply drive customers to put a lot more focus on security.And I think the community, especially large businesses, are going to focus a lot more on, \u201cHow do I minimize my cost at a given level of acceptable risk.\u201d We haven\u2019t felt that pressure heavily in the past couple of years, but large companies have a fairly large set of defenses and I think they will start to emphasize some and de-emphasize others.\u00a0NW: What we hear from Network World readers is they want fewer components to manage.GH:\u00a0 We think that is going to be a fairly heavy buying emphasis in 2006. On the system security side, we are releasing integrated suites which cover anti-virus, anti-spyware, host intrusion prevention, application firewall and the system interface to network access control. This is the majority of the \u201ckeep the bad guys out\u201d security componentry, all managed through one management infrastructure.On the network side of the house there is a convergence of three separate technologies: intrusion prevention, firewalling and content management. And we have just shipped a series of integrated content management appliances\u00a0that pull together all the mail filtering functions and all the Web filtering functions\u00a0- we will integrate those intrusion prevention appliances for large enterprises and service providers next year.\u00a0I believe the desire for simplifying management, which is really part of the cost containment drive, is still not going to result in customer\u2019s accepting mediocre products. Best of breed or near best of breed is still going to be a requirement because there will be several vendors with fairly broad integrated offerings.\u00a0\u00a0NW: What percentage of your business is in the enterprise?GH: 55%.\u00a0NW: Is the rest of it consumer?GH: Yes.\u00a0 Anti-virus is still the biggest for us. IPS is the fastest growing in terms of dollar growth. That has been a market that has moved from bleeding edge to being one that is fairly well accepted.\u00a0NW: All security vendors insist their customers use the automated response abilities of their tools, but on a recent Network World security tour most of the people in the room said they still don\u2019t turn them on.\u00a0 What\u2019s your experience?GH: Well, in our network intrusion prevention base of customers, and this is something we watch pretty closely, 75% have automated response enabled. Of that, I would say a fairly small amount, 10% to 20%, have all the automated responses enabled.\u00a0 If you go back two years ago, almost no one turned on any automated response.\u00a0NW: What do customers tend to turn on first?GH: They turn on signatures first and that is done in an IPS system or a firewall or even a router because it has\u00a0a high reliability identification of known attacks.\u00a0 When Zotob hit, for example, many customers had a Zotob signature already deployed.\u00a0When you go beyond the signature approach, into behavioral analysis, the first thing they tend to turn on is\u00a0denial-of-service attacks because those have a fairly high success rate and a high impact.\u00a0 We generally lay out a step-by-step set of suggestions for the customers in terms of what we would suggest they turn on depending on the business environment.\u00a0NW: You folks have close to $1 billion in cash and short term investments.\u00a0 Any areas where you need to round out the portfolio?GH: There are several. We are very interested in compliance as an area, there are multiple facets to compliance, many of them industry specific. So we will probably end up doing several relatively small acquisitions.In addition, we are interested in managed services in general.\u00a0We just announced an online managed mail service which we are OEM-ing, and that might be an area we want to get into over time. Internet access control is an interesting area, and one that has not had a great deal of competition.On the technology front, extrusion prevention \u2026~NW:\u00a0Is that what\u00a0some refer to as the information leakage problem?GH: Yes.\u00a0Information leakage is of interest and that falls in two broad categories: the transactional types of information, making sure the guys who are touching the SAP system haven\u2019t just compromised someone and gotten their password and their RSA token; and document oriented content, keeping contracts or confidential customer information from leaving the company. It is a market with a large number of pretty interesting companies for acquisition. I think all of the larger players will probably be relatively inquisitive.Our perspective is the customers want to buy a solution, not piece parts. Suites that are collections of unintegrated products are less interesting to the customer than suites that are well integrated.NW: How do you define integration?GH: Management is the key.\u00a0The basics of an integrated product are fairly easy to tell in terms of what pieces fit together. The management console needs to do more than just screen scrape. Integration at the management console level means a scheme that holds all the information so you can report using joins. I mean, you might want to ask what machines have had virus attacks and are vulnerable. That is information that will come from a vulnerability management product and from an anti-virus product. So it means integrated structures, integrated process communication mechanisms.NW: Given that most of the big vendors are chanting the same integration story, what sets you apart?GH:\u00a0The differentiation is on the capabilities of the specific products.\u00a0 For example on the systems side, we have customers with policy management systems that are deployed over a hundred thousand devices.In a typical evolutionary market, Microsoft and Cisco are able to bring their balance sheet to bear, their marketing muscle to bear.\u00a0 But as the market evolves, the tough question for them is, can they keep up. That\u2019s what makes security a viable market for smaller companies.\u00a0 It is hard for the battleships to get the guns trained.I think the relative balance between the T-rex\u2019s and the raptors is going to be driven heavily by the hacker community. If the pace of hacker innovations slows down, the big guys will be able to bring their financial resources to bear and they are going to do us a lot of harm. If the bad guys remain innovative and keep coming up with new, nasty things every six months or a year, that will make it a tough target to track.NW:\u00a0 Microsoft has bought a few companies and seems to be building a security story.\u00a0 What do you expect from them?GH: I think they will both acquire and attempt to organically develop, and Microsoft\u2019s objective is to be a very broad based security supplier. I think the only parts of the network where they don\u2019t have aspirations are in network intrusion prevention and maybe Internet access control. They are not net heads. They are systems guys.\u00a0They build and ship VPN\u2019s. That isn\u2019t competitive in large enterprises with Cisco or Juniper, but it is a very competitive product for small enterprises.\u00a0 So their objective is very broad ranging and I think they are extremely serious about applying resources.From a competitive perspective, I think it is equally as foolish for us as a competitor to take them lightly as it is to assume their victory is preordained. They actually have to pass the test of stopping the hacker to earn corporate respect. And I think it will be a test even for mighty Microsoft. I mean, if it wasn\u2019t a test, why the hell are there holes in their operating system to start with?NW: How about competition with the core security guys, Symantec, Trend Micro, ISS?GH: It is different for each one. With Symantec, the differentiation is predominantly on integration. Symantec has a broader product set but their product set is not well integrated and does not scale nearly as well.\u00a0So the management infrastructure and the integration with the various components is the key mechanism.ISS is a very strong competitor in IPS and the competition is typically a technical knock down, drag out battle over who has the best IPS system with all the detailed aspects of evaluation.Trend Micro\u00a0is more focused on anti-virus, so the competition within large enterprises is a knock down, drag out over detailed anti-virus capabilities. In small enterprises it is much more about who does the channel best.\u00a0NW: Any one you see more often than others?GH:\u00a0 It depends on the segment of the market. In IPS, ISS and Cisco are competitors in almost every deal. It is fairly rare that we win an IPS sale when one of those guys has not been involved. And in anti-virus it is rare that Symantec is not involved. Trend Micro is not quite at the same level but they are clearly a global player in the anti-virus market.\u00a0All of these guys are fairly high quality companies from a technology perspective. They are not producing junk.NW: What happens next in security?GH: The future of security is driven by the hacker. This is not simply a market where we anticipate technology to meet customer needs. The bad guy determines what next year\u2019s threat is going to be and when you look at the hacker community, the big change over the last two years has been its move from very bright individuals who were basically seeking fame, to organized groups driven by fortune.We can\u2019t say with certainty what the next type of attacks are going to be. What we can say is these attacks are possible. And the level of organization of the hackers means that much more complex attacks and much more targeted attacks are possible.\u00a0If you wanted to spend $50,000 to $100,000 you could take out the infrastructure of your biggest competitor. Now we have never seen an example of that, but it is possible and that can be applied to angry people who have many different motivations, some of them financial, some of them religious, some of them political.\u00a0So the direction of the market is going to be determined very much by how aggressively these organized groups pursue these different avenues of attack.